Breach Based on Harm Threshold: Yes*
Deadline for Consumer Notice: As expeditiously as possible and without unreasonable delay
Government Notification Required: Yes
Scope of this Summary:
Notification requirements applicable to individuals, entities, and "information brokers" (as defined) that maintain covered info. Some types of businesses may be exempt from some or all of these requirements, and non-commercial entities may be subject to different requirements.
Risk of Harm Threshold
Notification to residents not required if, after a reasonable and prompt good-faith investigation, the covered entity determines that there is no reasonable possibility that the covered info has been or will be misused.
* Harm threshold does not apply to information brokers.
Unauthorized acquisition, release, or use of computerized data that compromises the security, confidentiality, or integrity of the covered info, excluding certain good-faith acquisitions by employees or agents.
Encryption Safe Harbor
Statute does not apply to information that is encrypted or redacted, so long as encryption key was not accessed or acquired.
Form of Covered Info
- An individual's first name, or first initial, and last name in combination with any one or more of the following data elements:
- Social Security number.
- Driver's license number or state identification card number.
- Account number, credit card number or debit card number, if circumstances exist wherein such a number could be used without additional identifying information, access codes or passwords.
- Account passwords or personal identification numbers or other access codes.
- Any of the data elements in the above list when not in connection with the individual's first name, or first initial, and last name, if the information if compromised would be sufficient to permit a person to fraudulently assume or attempt to assume the identity of the person whose information was compromised.
Consumer Notice Timing
Must be made as expeditiously as possible and without unreasonable delay, consistent with measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data in the system.
Consumer Notice Method
By written notice or electronic notice if consistent with E-SIGN. Substitute notice is available if certain criteria are satisfied.
Consumer Notice Content
Content of notice undefined.
Notification may be delayed by law enforcement if they determine that it will compromise a criminal investigation. Notice must be given within seven business days after they determine that notification will not compromise the investigation.
If notification to residents is required, must also notify the appropriate state regulator (either Dept. of Professional and Financial Regulation or, if not regulated by the Department, the Attorney General).
Consumer Reporting Agency Notice
If more than 1,000 residents are notified, must notify all nationwide Consumer Reporting Agencies without unreasonable delay. The notification must include the date of the breach, estimated number of affected individuals, if known, and the date those individuals were or will be notified.
Exceptions for Other Laws
A covered entity who complies with the security breach notification requirements established pursuant to federal or other Maine law is deemed to be in compliance as long as the notification procedures are at least as protective as this statute's notification requirements
If you maintain covered info on behalf of another entity, you must notify it immediately following discovery of a breach if covered information was or is reasonably believed to have been acquired by an unauthorized person.
Private Right of Action
The Maine general breach notification statute does not provide for a private right of action.
Violations may result in civil penalties.